Automated on Call and Ad Hoc Access to Restricted Resources

1. A method for automatically granting and revoking access to restricted resources based at least in part on selected ones of an indicator stored with an access resource or an ad hoc request from a requestor, the restricted resources include a first restricted resource and a second restricted resource, the method comprising: periodically retrieving the indicator from the access resource, the indicator at least identifying a first entity having an associated on call status; automatically determining an access for the first entity to the first restricted resource based at least in part on the indicator; receiving the ad hoc request to authorize a second entity with access to the second restricted resource for a time period; determining if the requestor is authorized to make the ad hoc request, and if so, granting the second entity access to the second restricted resource; sending a message corresponding to the ad hoc request from the requestor; automatically de-authorizing the first entity based at least in part on the indicator; and automatically de-authorizing the second entity based at least in part on the time period.

2. The method of claim 1 , further comprising determining the indicator fails to identify the first entity with an on call status.

3. The method of claim 1 , further comprising determining an expiration of the time period.

4. The method of claim 1 , wherein the determining if the requestor is authorized further comprising: verifying compliance with a request limit associated with the ad hoc request; wherein the requestor is unauthorized to make the ad hoc request based at least in part on a noncompliance with the request limit.

5. The method of claim 4 , wherein the request limit corresponds to a frequency of receiving ad hoc requests associated with one or more of the requestor and the second entity.

6. The method of claim 1 , in which a group messaging platform may distribute messages having an associated topic, the method further comprising providing the message to the messaging platform with an associated topic corresponding to the ad hoc request.

7. The method of claim 1 , in which a directory service permits access to the first restricted resource based at least in part on membership in a directory service group, the method further comprising: automatically adding the first entity to the directory service group based at least in part on the indicator; and granting the first entity the access to the first restricted resource based at least in part on being a member of the directory service group.

8. The method of claim 7 , the method further comprising: automatically removing the first entity from the directory service group based at least in part on the indicator; and denying the first entity the access to the first restricted resource after the removing the first entity from the directory service group.

9. The method of claim 1 , in which the restricted resources are hosted in a virtual private cloud (VPC), a directory service is hosted by a cloud service, and a chat system is accessible by both the VPC and the cloud service, the method further comprising: providing the message to the chat system; and receiving, responsive to the providing the message, data from the cloud service data indicating at least whether the requestor is authorized to make the ad hoc request.

10. A system to automatically grant and revoke access to restricted resources based at least in part on selected ones of an indicator stored with an access resource or an ad hoc request from a requestor, the restricted resources include a first restricted resource and a second restricted resource, comprising: a processor; and memory coupled to the processor and storing instructions that, when executed by the processor, cause the system to perform operations comprising: periodically retrieve the indicator from the access resource, the indicator at least identifying a first entity having an associated on call status; automatically determine an access for the first entity to the first restricted resource based at least in part on the indicator; receive the ad hoc request to authorize a second entity with access to the second restricted resource for a time period; determine if the requestor is authorized to make the ad hoc request, and if so, grant the second entity access to the second restricted resource; send a message corresponding to the ad hoc request from the requestor; and automatically de-authorize the first entity based at least in part on the indicator, and de-authorize the second entity based at least in part on the time period.

11. The system of claim 10 , the instructions including further instructions to cause the system to perform: determine the indicator fails to identify the first entity with an on call status.

12. The system of claim 11 , the instructions including further instructions to cause the system to perform: determine an expiration of the time period.

13. The system of claim 10 , wherein the instructions to determine if the requestor is authorized further including instructions to cause the system to perform: verify compliance with a request limit associated with the ad hoc request; and determine the requestor is unauthorized to make the ad hoc request based at least in part on a noncompliance with the request limit; wherein the request limit corresponds to a frequency of receiving ad hoc requests associated with one or more of the requestor and the second entity.

14. The system of claim 10 , in which a group messaging platform may distribute messages having an associated topic, the instructions including further instructions to cause the system to perform: provide the message to the messaging platform with an associated topic corresponding to the ad hoc request.

15. The system of claim 10 , in which a directory service may permit or deny access to the first restricted resource based at least in part on membership in a directory service group, the instructions including further instructions to cause the system to perform: automatically add the first entity to the directory service group based at least in part on the indicator, and grant the first entity the access to the first restricted resource based at least in part on being a member of the directory service group; and automatically remove the first entity from the directory service group based at least in part on the indicator, and deny the first entity the access to the first restricted resource after the removing the first entity from the directory service group.

16. The system of claim 10 , in which one or more network interconnects a virtual private cloud (VPC) hosting the restricted resources, a cloud service hosting a directory service, and a chat system, the instructions including further instructions to cause the system to perform: provide the message to the chat system; and receive, responsive to the provide the message, data from the cloud service data indicating at least whether the requestor is authorized to make the ad hoc request.

17. A computer readable memory having instructions stored thereon for revoking access to restricted resources based at least in part on selected ones of an indicator stored with an access resource or an ad hoc request from a requestor, the restricted resources include a first restricted resource and a second restricted resource, the instructions that, in response to execution by a processor, are operable to perform operations including: periodically retrieve the indicator from the access resource, the indicator at least identifying a first entity having an associated on call status; automatically determine an access for the first entity to the first restricted resource based at least in part on the indicator; receive the ad hoc request to authorize a second entity with access to the second restricted resource for a time period; determine if the requestor is authorized to make the ad hoc request, and if so, grant the second entity access to the second restricted resource; send a message corresponding to the ad hoc request from the requestor; and automatically de-authorize the first entity based at least in part on the indicator, and de-authorize the second entity based at least in part on the time period.

18. The memory of claim 17 , the instructions including further instructions that, in response to execution by a processor, are operable to perform: determine the indicator fails to identify the first entity with an on call status; determine an expiration of the time period; determine a frequency of receiving ad hoc requests associated with one or more of the requestor and the second entity; compare the frequency of receiving ad hoc requests with a request limit, verify compliance with the request limit; and determine the requestor is unauthorized to make the ad hoc request based at least in part on a noncompliance with the request limit.

19. The memory of claim 17 , in which a group messaging platform may distribute messages having an associated topic, the instructions including further instructions that, in response to execution by a processor, are operable to perform: provide the message to the messaging platform with an associated topic corresponding to the ad hoc request.

20. The memory of claim 17 , in which one or more datapath connects a virtual private cloud (VPC), a cloud service, a chat system, and a cloud system, the instructions including further instructions to cause the system to perform: receive from the VPC data corresponding to the restricted resources; receive from the cloud service data corresponding to a directory service controlling access to the restricted resources based at least in part on membership in a directory service group; automatically add the first entity to the directory service group based at least in part on the indicator, and grant the first entity the access to the first restricted resource based at least in part on being a member of the directory service group; automatically remove the first entity from the directory service group based at least in part on the indicator, and deny the first entity the access to the first restricted resource after the removing the first entity from the directory service group; provide the message to the chat system; and receive, responsive to the provide the message, data from the cloud service data indicating at least whether the requestor is authorized to make the ad hoc request.